Google has recently tackled a significant security vulnerability affecting its Gemini CLI tools, including the ‘@google/gemini-cli’ npm package and the ‘google-github-actions/run-gemini-cli’ GitHub Actions workflow. This flaw, rated with a maximum CVSS score of 10.0, posed a critical risk by allowing attackers to execute arbitrary commands on host systems. The discovery was made by Novee Security, which highlighted the potential for malicious content to override Gemini configurations, leading to direct command execution on affected systems.
Understanding the Vulnerability
The security flaw, which lacks a CVE identifier, impacted several versions of the Gemini CLI. Specifically, it affected ‘@google/gemini-cli’ versions below 0.39.1 and 0.40.0-preview.3, as well as ‘google-github-actions/run-gemini-cli’ versions below 0.1.22. Google emphasized that the risk was primarily associated with workflows utilizing the Gemini CLI in headless mode. In such scenarios, the tool could automatically trust workspace folders, leading to potential exploitation in environments processing untrusted inputs, such as user-submitted pull requests.
The vulnerability stemmed from the automatic trust of current workspace folders, which allowed the tool to load any agent configuration without user consent. This behavior could be exploited by attackers planting specially crafted configurations, thereby facilitating remote code execution on the system hosting the agent.
Mitigation Strategies and Updates
To counteract the vulnerability, Google has implemented a requirement for folders to be explicitly trusted before their configurations can be accessed. The tech giant advises users to revise their workflows accordingly. For workflows operating on trusted inputs, users are instructed to set ‘GEMINI_TRUST_WORKSPACE: true’. In cases involving untrusted inputs, Google’s guidance recommends hardening the workflow against malicious content by setting specific environment variables.
Further, Google is enhancing its tool allowlisting processes when Gemini CLI is run in ‘–yolo mode’. This is to prevent remote code execution in scenarios involving untrusted inputs, such as user-submitted GitHub issues. The policy changes aim to ensure safe command execution while processing untrusted inputs, though some workflows may require adjustment to accommodate these new policies.
Additional Security Challenges
In addition to the Gemini CLI issue, Novee Security has identified a high-severity vulnerability in the AI-driven development tool, Cursor. This vulnerability, present in versions prior to 2.5, has a CVSS score of 8.1 and could lead to arbitrary code execution via prompt injection. Exploitation occurs through a sandbox escape mechanism in Git configurations, enabling malicious Git hooks to execute automatically during commit operations.
Moreover, a further vulnerability, dubbed CursorJacking, was disclosed by LayerX, revealing a high-severity access control issue that exposes sensitive API keys and credentials. This flaw could allow unauthorized access and data theft through rogue extensions, emphasizing the need for users to only download trusted extensions to mitigate risks.
These findings underscore the importance of stringent security measures and regular updates to safeguard against evolving cybersecurity threats. By addressing these vulnerabilities, Google and other stakeholders aim to enhance the security of development environments and maintain the integrity of software supply chains.
